Technical Committee Exploratory Charter: Security and Identity

The Security and Identity Committee will develop a Security Framework, which is a body of security-related knowledge within the context of the VoiceXML space.

1 Summary

End Date

24 November 2011

Champion

Valene Skerpac (iBiometrics) (chair)

IP Policy

RAND

2 Background

The committee is formed in recognition of the increasing need for VoiceXML applications to play an important role in critical applications, including those that provide authentication and secure access to applications and system resources. The growing number and continual evolution of security attacks require industry and organizational use of established security methodologies that include process-oriented and technical approaches. The regulatory environment also drives the need for secure VoiceXML.

3 Scope

The committee will use established security approaches to perform a VoiceXML risk assessment for a collection of use cases. The exploratory committee identified ANSI X9.84-2010, Biometric Information Management and Security, as a basis of its security framework and risk assessment of the VoiceXML environment.

4 Deliverables

The committee has a single deliverable: a VoiceXML Risk Assessment. This risk assessment will analyze the impact of security threats in the VoiceXML environment. The assessment will include a threat analysis that will identify security weaknesses and associated controls needed to protect assets and functions. The risk assessment will be developed through the following activities:

The committee will tailor for the VoiceXML environment known biometric security considerations and possible attacks or weaknesses along with protection mechanisms as identified in X9.84. For example, a hill-climbing attack is a known biometrics attack in which an attacker repeatedly modifies biometric input and views the corresponding output verification score until the score is above a prescribed threshold, thereby achieving false acceptance. The proposed risk assessment document will describe a hill-climbing attack in a VoiceXML environment and recommend techniques to thwart such an attack.

Committee members will perform VoiceXML threat modeling which gathers crucial information, including components, use scenarios, dependencies, assumptions, entry points and trust levels, to produce data flow diagrams. These diagrams will describe components with inputs, outputs and logical internal processes, and will be the heart of the threat analysis. Brainstorming efforts will go through all potential threats and categorize them according to the need for mitigation and the degree to which they are currently mitigated.

The draft of the risk assessment will be reviewed quarterly. The document delivered at the end date of the committee will be complete, but it will also be a "living" document, as new threats can materialize. The risk assessment document can be used as a basis for future activities, which will include periodically revisiting the risk assessment.

5 Dependencies

There are several external efforts that may influence the security framework.

Internet Engineering Task Force (IETF) – The IETF has defined many of the security protocols used for exchanging data (media, application documents, etc.) between components of a VoiceXML deployment.

World Wide Web Consortium (W3C) – The W3C has defined several security mechanisms which may interact with VoiceXML 3.0. There is an established relationship between the W3C and VoiceXML Forum based on a 2001 Memorandum of Understanding.

OASIS (Organization for the Advancement of Structured Information Standards) – OASIS drives the development, convergence and adoption of open standards for the global information society. They have been instrumental in developing Web, Web Service, SOA, and Security practices and standards.

6 Communications

The committee will have weekly conference calls. In addition, the committee will hold quarterly reviews of the draft documents by a larger group of members knowledgeable in application use cases, Speaker Identification and Verification (SIV), security, VoiceXML, and related standards.

7 Participant Requirements and Commitment

Committee members who can participate weekly will spend 1-3 hours per week and reviewers will spend 5 to 10 hours in a given quarter. Invited expert Dan Burnett will participate.

This charter was approved under the 01 Nov 2010 operating policies of the VoiceXML Forum. The terms of those operating policies apply.